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Abstract — It is known that given the real sum of two indepen- 
dent uniformly distributed lattice points from the same nested 
lattice codebook, the eavesdropper can obtain at most 1 bit 
of information per channel regarding the value of one of the 
lattice points. In this work, we study the effect of this 1 bit 
information on the equivocation expressed in three commonly 
used information theoretic measures, i.e., the Shannon entropy, 
the Renyi entropy and the min entropy. We then demonstrate 
its applications in an interference channel with a confidential 
message. In our previous work, we showed that nested lattice 
codes can outperform Gaussian codes for this channel when the 
achieved rate is measured with the weak secrecy notion. Here, 
with the Renyi entropy and the min entropy measure, we prove 
that the same secure degree of freedom is achievable with the 
strong secrecy notion as well. A major benefit of the new coding 
scheme is that the strong secrecy is generated from a single 
lattice point instead of a sequence of lattice points. Hence the 
mutual information between the confidential message and the 
observation of the eavesdropper decreases much faster with the 
number of channel uses than previously known strong secrecy 
coding methods for nested lattice codes. 

I. Introduction 

Information theoretic secrecy, first proposed by Shannon 
[1], is an approach to study the secrecy aspect of a com- 
munication system against a computation power unbounded 
adversary. This approach was later applied to the wiretap 
channel [2]-[4] and recently extended to multiple access 
channel [5], broadcast channel [6], interference channel [7]. 
The focus of this body of literature is on the fundamental 
rate limits at which secret communication can take place. 

Lattice codes were found recently to be useful in construct- 
ing information theoretically secure coding schemes [8]. In 
[8], [9], the authors showed that with the nested lattice code, 
the real sum of two lattice points leaked at most 1 bit of 
information per channel use to the eavesdropper regarding 
the value of one of the lattice points. Using this property, 
secrecy rate can then be achieved by using a random wiretap 
code while restricting the channel inputs to lattice points. The 
coding scheme is shown to be useful in providing secrecy in 
a multi-hop relay channel [8] and interference channels [9]- 
[12] . In particular, it outperforms Gaussian signaling scheme 
at high SNR in many fully connected two user Gaussian 
Channels with interference [9], [12]. 

The secrecy rates in all these works are derived with the 
notion of weak secrecy. If the observation of the eavesdropper 
is Z", and the confidential message is W, then weak secrecy 



requires: 



lim 

n— »oo Tl 



(1) 



However, sometimes, it is more useful to upper bound the 
following term: 



J2 \p{W,Z-)-p{W)p{Z-)\ 



(2) 



W.Z" 



which tells how different the joint distribution of {W, Z"} 
is from this distribution if they are truly independent. Such a 
bound can be found via the Pinsker's inequality [13, Theorem 
2.33] if / (W; Z") can be bounded. Yet, it is clear that it is 
not possible to upper bound I [W; Z") with the weak secrecy 
notion in ([1]). In fact, / {W; Z") can still be arbitrarily large 
despite ^ being valid. For example, it can increase at the 
rate of log(n). To solve this problem, it is necessary to switch 
to the strong secrecy notion, which is defined as: 



lim liWiZ''' 







(3) 



In this work, we focus on how to achieve the strong secrecy 
notion using the nested lattice codes. 

There are two known techniques in achieving strong se- 
crecy. Reference [14] shows that for any discrete memoryless 
wiretap channel, it is possible for both the decoding error 
probability and I{W; Z") to decrease exponentially with the 
number of the channel use. Yet, the proof of [14] uses random 
codes, and does not naturally extend to the lattice codes. 
One way to get around this problem is to treat each lattice 
point as a single channel use [15], [16], and design random 
codes for this extended channel using the method from [14]. 
However, as we will show later, doing so makes the length of 
a codeword to be much larger than the dimension of a lattice 
point. Because of this reason, the exponentially decreasing 
property of /(VK; Z") in n is lost. 

Reference [17] proposed that for a discrete memoryless 
channel, if there is a coding scheme that achieves weak 
secrecy given by ([T]i, it can be combined with the privacy 
amplification technique in [18] to achieve the strong se- 
crecy notion in (O. The exponential decreasing property 
of /(M^; Z") was not shown in [17] but can be proved 
by replacing the weak typicality used in [17] with strong 
typicality. Yet, since the proof of [17] relies on the typicality 
property of a i.i.d. generated sequence , it is again for random 



codes. If this approach were to be used with lattice codes, 
we will encounter the same problem we had with [14], i.e., 
the exponentially decreasing property of I{W; Z") will be 
lost. 

The coding scheme proposed in this work avoids this 
problem through a different method of lower bounding Renyi 
entropy and min entropy. In [17], this is obtained via the 
typicality property of i.i.d. sequence. Here it is proved instead 
using the representation theorem proposed in [8], [9], a 
unique property of nested lattice structure. The strong secrecy 
is hence generated from a single lattice point rather than a 
sequence of lattice points. Consequently, the exponentially 
decreasing property of I{W; Z") is preserved. 

The rest part of the paper is organized as follows. In 
Section we summarize useful results on the effect of side 
information on information theoretic measures. These results 
show that revealing m bits of information will not decrease 
entropy measures by more than m with high probability. In 
Section Uni we apply these results to lattice nested code, by 
viewing the integer in the representation theorem as the side 
information. We then use these results to prove achievable 
secure degree of freedom for an interference channel with 
confidential messages. The channel model is described in 
Section|lV] The achievable secure degree of freedom is stated 
in Section [V] and proved in Section [VT] and Section IVIII 
Section [Villi concludes the paper. 

II. Effect of Side Information on Information 
Theoretic Measure 

In this section, we provide some supporting results which 
will be used later Let X, T denote two discrete random 
variable. 

Definition 1: For a discrete random variable X, the Shan- 
non entropy H{X) is defined as 

H{X) = -^Vt{X = x)\og.2^i{X ^ x) (4) 

X 

The Renyi entropy H2{X) is defined as 

i72(X) = -log2^Pr(X = xf (5) 

X 

The min entropy Hoo{X) is defined as 

i^oo {X) = - log2 max Pr(X = x) (6) 

X 

Let ||r|| denote the cardinality of the alphabet set T is 
defined on. Then we have the following lemmas. 
Lemma 1: [19] For Shannon entropy, we have: 

H{X\T)>H{X)-\og2\\T\\ (7) 

The relationship says the introduction of logj ||rj| bits side 
information can not decrease the entropy of X by more than 
log2 ||rj| bits. The proof follows from the following equation: 

H{X)<H{X,T) (8) 
=H{X\T) + H{T) (9) 

<i/(x|r) + iog2||r|| (10) 



In our previous work [8], [9], we use this lemma to prove 
that using nested lattice codes, the real sum of two lattice 
points from the same lattice codebook leaks at most 1 bit of 
information per channel use to the eavesdropper regarding 
the value of one of the lattice points, if the other point is 
independently generated and uniformly distributed over the 
codebook. This result opens the door for applying nested 
lattice codes to achieve weak secrecy in Gaussian channels. 

Lemma 2: [20, P 106, Theorem 5.2] [17, Lemma 3] For 
Renyi entropy and s > 0, we have: 

Pr [t : H2 {X) - H2 {X\T = t) < log^ \\T\\ + s) 
>l-2-("/2-i) (11) 

The lemma says with high probability the introduction of 
log2 bits side information can not decrease the Renyi 
entropy of X by more than log2 ||T|| bits. The proof can be 
found in [20, P 106, Theorem 5.2]. In [20], T is also called 
"spoiler information". Later, we will use this lemma to prove 
strong secrecy rate based on the universal hash function. 

Lemma 3: [17, Lemma 10] For min entropy and s > 0, 
we have: 

Pr {t : ifoo (X) - {X\T ^ t) < log^ \\T\\ + s) 

> 1 - 2-" (12) 

The lemma says with high probability the introduction of 
log2 |lr|| bits side information can not decrease the min 
entropy of X by more than log2 ||r|| bits. A proof of this 
lemma is provided in Appendix |A] Later, we will use this 
lemma to prove strong secret key rate based on extractor 
functions [21]. 

III. Nested Lattice Codes 

In this section, we describe the nested lattice codes, the 
representation theorem from [8], [9] and its implication in 
terms of the three information theoretic measures described 
in Section HIl 

A nested lattice code is defined as an intersection of an 
A^-dimensional "fine" lattice A and the fundamental region 
of an A^-dimensional "coarse" lattice Ac, denoted by V(Ac). 
A, Ac C R^. The term "nested" comes from the fact that 
Ac C A. The modulus operation is defined as the quantization 
error of a point x with respect to the coarse lattice Ac: 

X mod Ac = X — arg min ||a; — (13) 

where ||x — y||2 is the Euclidean distance between x and y in 
R^. It can be verified that AnV(Ac) is a finite Abelian group 
when the addition operation between two elements x,y G 
A n V(Ac) is defined as 

a; + y mod Ac (14) 

The signal X^ transmitted over N channel uses from a 
nested lattice codebook is given by 

= (w^ + d^) mod Ac (15) 



Here is the lattice point chosen from An V(Ac), and 
is called the dithering vector Conventionally, is defined 
as a continuous random vector which is uniformly distributed 
over V(Ac) [22]. It was shown in [9] that a fixed dithering 
vector can be used. Either way, the nature of d^ will not 
affect the result described below. In the following, we assume 
is independent from d^. We also assume that d^ is 
perfectly known by all receiving nodes, and hence, is not 
used to enhance secrecy. 

As will be shown later, our goal in general will be to bound 
the expression of the following form: For Shannon entropy, 
it is written as; 

H{u^\X^±Xi',d^,d^) (16) 

For Renyi entropy and min entropy, simply replace H in 
(fTSI l with H2 and iJoo respectively. Here Here uf , X^^ , df 
correspond to the ,X^ , d^ mentioned above respectively. 
That is to say that uf^ G An V(Ac); df^ is the dithering noise; 
X[^ = (uf + df ) mod Ac. In addition, uf , df , i = 1, 2 are 
independent. 

All three information theoretic measures considered in this 
work can be bounded using the representation theorem from 
[8], [9]: 

Theorem 1: Let ti,t2, ■■■,tK be K numbers taken from 
the fundamental region of a given lattice A. There exists a 

K 

integer T, such that 1 < T < K'^ , and ^ tk is uniquely 

fc=i 

K 

determined by {T, ^ tk mod A}. 

k=l 

The proof can be found in [9]. 

Clearly, Xj^,i — 1,2 are in the fundamental region of 
Ac. Hence the theorem says X^ + X^ can be uniquely 
determined by T, {X^ + ) mod A^, 1 < T < 2^. Since 
fundamental region of Ac is symmetric with respect to the 
origin, the same results hold for X^ — X^ as well. 

In the sequel, let T be the integer whose existence is 
guaranteed by Theorem[T] For a discrete random variable X, 
let X denote a deterministic value such that Pr(X = x) > 0. 
With these notations, we have the following corollary to the 
three lemmas in Section HIl 

Corollary 1: In terms of Shannon entropy, we have 

H ± mod Ac, d^,i = 1, 2) 

- H {u^\X^ ± Xi',df, z = 1, 2) < log2 ril (17) 
In terms of Renyi entropy, consider the inequality 

H2iu^\u^ ± mod Ac = u,df ^ df,i = 1, 2) 

- H2 {u^\X^ ± X^ = df = Jf , z = 1, 2) 
<log2l|T||+s (18) 

where 2; is a function of u, d^ and T. Then we have 

Pr ( t:T = i, and (HI holds ) > 1 - 2-^^/2-^' (19) 
In terms of min entropy, consider the inequality: 

Hoc ±wf mod Ac = u,d^ = df,i = 1,2) 

- (^f |Xf ± X^ = X, df = Jf , z = 1, 2) 
< log2 ||T|| + s (20) 




Fig. 1. The Gaussian Wiretap Channel with a Cooperative Jammer 

we have 

Pr ( t:T = t, and (|20ll holds ) > 1 - 2"'* (21) 

Proof: Equation (fTTT i uses Lemma [T] and its proof can 
be found in [8], [9]. 

We next prove ( fT9] ). We begin with; 

H2 (uf |Xf ± X^ = X, df = df, ^ = l,2) (22) 
2 

=iJ2(uf I « + O mod Ac = X, 

df = d7,z = 1,2) (23) 

From Theorem [T] ( |23] ) can be written as: 

2 

^2«|(^< + df ) mod Ac = x\ 

T = t,df = df ,i = 1,2) (24) 
2 

where x' is a constant such that when itf + df ) mod 

2 

Ac = x' and T ^ t, we have J2 ("f + c'f ) mod Ac = x. 

Theorem [1] guarantees the existence of such x' and t. 

We then consider T as the side information and apply 
Lemma |2] to This yields ( fT9l ). 

The proof for ( I2TI 1 is similar. We simply rewrite (|23l)-(l24li 
by replacing H2 with Hoo- Equation ( I2TI 1 follows by viewing 
T as the side information and apply Lemma [3] 

Hence we have proved the Corollary. ■ 

We next demonstrate the usefulness of Corollary [T] in an 
interference channel with confidential message. 

IV. Channel Model and Problem Formulation 

We will focus on the Gaussian wiretap channel with a 
cooperative jammer [23] . All results derived in this work 
extend to the iiT-user interference channel with a confidential 
message in a straightforward manner 

The channel model is shown in Figure [T] As shown in 
this figure, after normalizing the channel gains of the two 
intended links to 1, the received signals at the two receiving 
node Di and D2 can be expressed as 

Yi ^Xi + V^ATa + Zi 
Y2 = VbXi ±X2 + Z2 



where Z^, i ~ 1,2 is a zero-mean Gaussian random variable 
with unit variance, and y^, ^/b and Zi are real numbers. 
As in [9], we let Xi = VbXi and Yi = VbYi. Then from 
\, we have 



Yi=Xi + VdiX2 + VbZi 

Y2^Xi±X2 + Z2 



(26) 



In the sequel, we will focus on this scaled model which will 
be more convenient to explain our results. 

In [9], we calculate the weak secrecy rate for this model. 
In this work, we will calculate the strong secrecy rate and 
strong secrecy key rate, which we shall define shortly. 

In the strong secrecy rate problem, node Si sends a 
message Wi via Xi to node Di, which must be kept secret 
from node D2- Let Mi be the local randomness at 5*1 and 
/, be its encoding function at the ith channel use. Then we 
have: 



X 



h{Wi,Mi) 



(27) 



Node S2, the cooperative jammer, sends signal X2- 
Let Wi be the estimate of Wi by node Di. For Di to 
receive Wi reliably, we require 



lim Pr [Wi ^ Wi] ^ 



(28) 



In addition, since Wi must be kept secret from D2, we 
require the strong secrecy notion as defined in (O, which 
takes the following expression for this model: 



lim I{Wi;Y^') = 

n^oo 

The achieved secrecy rate Re is defined as: 



(29) 



Re = lim -H {Wi 

n^oo 77, 



(30) 

such that the conditions ( l28l l. ( |29] l are fulfilled simultane- 
ously. 

In the secret key generation problem, node Si and Di com- 
municate for n channel uses and after that wants to generate 
the same key from the signals available to them. Let .91,52 
be the generation function used by Si and Di respectively. 
Let Ml, M2 be their local randomness respectively. Then 



Ki=gi{Mi) 
ki ^ g2{M2,Y{') 



(31) 
(32) 



The encoding function at node 1 for the ith channel use is 
defined as 



and we require: 



^1,. = h{Mi) (33) 

lim Vt{Ki ^ ki) = (34) 
lim /(/Vi;y2") = (35) 

n — ^00 

The achieved secrecy key rate Rk,e is defined as 

i?fc.e = lim -H{Ki) (36) 

rt— »oo n 



such that the conditions ( [34] i. ( [35] l are fulfilled simultane- 
ously. 

For both problems, there are two constraints on the input 
distribution to the channel model in ( |26] ): First, we assume 
there is no common randomness shared by the encoders of 
Si and 5*2. This means, the input distribution to the channel 
is constrained to be 



p{XT)p{X^) 



(37) 



where m is the number of channel uses involved. Intuitively, 
this implies that if X2 is employed to send interference to 
confuse the eavesdropper, its effect can not be mitigated by 
coding Xi via dirty -paper coding [24]. 

Second, the average power of Xi is constrained to be Pi. 
If Xi j is the jth component of Xi, this means: 



^ m 

lim —y^E 



\x, 



<P,. 



1,2 



(38) 



In the next section, we examine the high SNR behavior 
of Re and i?e fe when these two requirements on the channel 
input distribution are fulfilled. 

V. Main Results 

Definition 2: The secure degree of freedom of the secrecy 
rate is defined as: 

Re 



s.d.o.f. = lim sup 



Pi— >oo,z=l,2 1 1 



2 



(39) 



The secure degree of freedom of the secrecy key rate is 
defined in the same way by replacing Re in ( [39] l with Rk^e- 
We also notice that any \/ab, Vab ^ 0, can be represented 
in the following form: 

Vab = p/q + •y/q (40) 

where p, q are positive integers, and — 1<7<1,7^0. In 
this case, the channel model (l26T l can be expressed as: 

qYi = qXi + (p + 7) X2 + qVbZi (41) 
1^2 = ^1 ± ^2 + Z2 (42) 

Using this notation, we have the following theorem regarding 
the achievable secure degree of freedom: 

Theorem 2: There exists a encoder {/i}, such that the 
following secure degree of freedom is achievable using nested 
lattice codes when < I7I < 0.5: 



0.25 log2 (q)-1 
ilog2 M+1) 



1 + 



where 



and 



1 - 27^ + yi - 472 
274 



P^q^ + ijP + l) 



(43) 



(44) 



(45) 



such that for any given transmission power 

lim - - logn / (Wi ; K" ) > (46) 

n— >oo Jl 

where n denotes the total number of channel uses. 

Theorem 3: There are generation functions gj^j ~ 1,2 
with explicit construction, such that ( |43] | is the achievable 
secure degree of freedom for the key generation problem, 
and for any given transmission power: 

lim -^log2/(A-i;r2") >0 (47) 

n— »oo 

where n denotes the total number of channel uses. 

Remark 1: In [9], we proved that ( |43] | is the achievable 
s.d.o.f. for the weak secrecy notion. Here, we show that the 
same s.d.o.f. is achievable for the strong secrecy notion. 

Remark 2: Reference [14], [17] show that using the strong 
secrecy notion instead of the weak one did not decrease the 
achievable secrecy rate. This coincides with the observation 
in Remark[T] Yet, the proofs in [14], [17] use random codes, 
and does not naturally extend to the lattice codes. One way 
to get around this problem is to treat each lattice point as 
a single channel use [15], and design random codes for 
this extended channel using the method [14]. However, as 
mentioned in the introduction, doing so will not achieve the 
exponential decrease property as given by ( |46] | and Wt\ . 
To see that, let each codeword in this randomly generated 
codebook contains M lattice points, and the dimension of the 
lattice be N . Then it was proved in [22] that the decoding 
error probability decreases exponentially with respect to N . 
Also from the coding scheme in [14], we have I{W\Y2) 
decreases exponentially with respect to AI. Since the total 
number of channel uses in this case is MN, ( |46] | and (|47] | no 
longer holds unless N does not increase proportionally with 
M. Hence, unless a significant price is paid on the decoding 
error probability, the exponential decrease in I{W] Y^) can 
not be preserved. 

Remark 3: The proof of Theorem |2] uses universal hash 
function and is existential. The secrecy notion achieved by 
Theorem [3] is weaker but its proof is constructive. The proof 
uses on the extractor function proposed in [21], which gives 
explicit construction of the function. 

VI. Proof of Theorem[2] 

We first introduce some useful results on universal hash 
functions. 

Definition 3: [18, Definition 1] A set of functions A 
S is a class of universal hash fiinction if for a function g 
taken from the set according to a uniform distribution, and 

xi,X2 G A,xi 7^ X2, the probability that g{xi) = 5(2:2) is 
at most l/\B\. 

Theorem 4: [18, Corollary 4] Let G be selected according 
to a uniform distribution from a class of universal hash 
function from A to GF{qY. For two random variables A, B, 
if for a constant c, H2{A\B = b) > c, then 

H{GiA)\G,B = b)>rlog2q-^-^^ (48) 



Let G be taken from a set of linear mapping from GF{q)'^ 
to GF{qY according to a uniform distribution. Hence G can 
be represented as a matrix over GF{q) with r rows and 
columns. For this class of G, we have the following lemma: 

Lemma 4: The probability that G has full row rank is 
greater than 1 — q^~^ . 

Proof: Let g;, i = 1, be the ith row of G. Then G 
does not have full row rank if and only if 

ai5i +0252 + ••• + ar.gr = 0, a; G GF(g) (49) 

Since at least one has to be non-zero, there are q'' — 1 
possible choice for a;. 

For each choice of {a;}, since one is not zero, there 
are solutions for {gi\. Hence there are at most 

qN(r-i)^qr _ 2) Cs that do not have full row rank. There are 
g^'' possible Gs in all, each chosen with equal probability. 
Hence the probability that G does not have full row rank 
smaller than q^"^ , and we have Lemma |4] ■ 
The reason that we are interested in this class of G is because 
of the following lemma: 

Lemma 5: [18] The set of linear mapping as defined in 
Lemma |4] is a class of universal hash function. 
We then briefly describe the lattice codebook from [9], which 
we shall generate strong secrecy from. 

In this coding scheme, node Sk sends the signal Xj^ over 
A^ channel uses, is the sum of codewords from several 
layers as shown below: 

M 

k^l,2 (50) 

i=l 

where M is the total number of layers in use. X^^ is the 
signal sent by the Sk in the ith layer For each layer, we use 
the nested lattice code described in Sectionlllll Let {A^, Ac,i} 
be nested lattice pair assigned to layer i. Then the signal Xj^^ 
is computed according to this nested lattice pair as: 

= «■^ + dkd mod A,,, fc = 1, 2, * = 1, M 

(51) 

where d^^ is the dithering vector, uniformly distributed 
over V (Ac,;), perfectly known by all receiving nodes and 
independently generated for each node, each layer and each 
block of N channel uses. Let u^- be the lattice point such 
that: 

<»e V(Ae,.)nA,, fc = l,2 (52) 

Note that both node Si and 5*2 use the same lattice codebook 
for each layer. We choose the input distribution to the channel 
such that is uniformly distributed over V (A^;) n Aj and 
is independent between each node, each layer and each 
bloc of A^ channel channel uses. 

Define Ri,i = 1, M as the rate of the codebook for the 
ith layer: 

= 4log2|V(A,,,)nA,| (53) 



Define Rq as the average rate per layer: 



1 " 
^0= mE^^ 



(54) 



Define A*^nV(Ac)^^ as the M-fold Cartesian product of A^n 
V{Ac^t),i = 1...M. Note that A^^n V(Ac)*^ is also a nested 
lattice codebook. Its dimension is denoted by iV = MN. 



Define tf^,i 



1,2 as the Cartesian product of u^j,k = 



1, ...,M,i= 1,2. Define if as ug^ 
1, M. The shorthand d ~ d to denote d 



N _ 



mod Ac, k = 
1,2. 



df,J 



Let [xj be the operation that rounds x to the nearest integer 
less than or equal to x. Define iVo as 



No = 



log2|A^^nV(Ac) 



Then 



No > NRo - 1 



(55) 



(56) 



M 



Choose the subset K of the codebook (A + df )^^n V (A^) 
that yields the minimal average decoding error probability 
with the lattice decoder and has size \K\ ~_2^°. Define v as 
the one-to-one mapping from to GF(2^°). 

We begin with the fact that © is independent from 
if, from which we have: 



H2 (z;(if)|if ©if =i^\d = d) [v{t 



N 



(57) 



According to Corollary [T] we have, for a given integer 



1 < a < 2^ and i^ taken from A^^ n V{kcY', 
probability of at least 1 - 2^^"/'^'^^: 

H2 (v{tf)\tf ®t§ ^t'',d = d, T = a 



>H2 (i'(if )|if ©i^^ 

:^No ~N - s 

<N{Ro s 



N 



a, 
with a 

(58) 

' (59) 
(60) 
(61) 



where (|6TT l follows from 

For a positive integer fg, let G be a random function which 
is uniformly distributed over the set of linear functions from 
GF(2)^n to GF(2)*'n. Then when dSSjl-dSB holds, we have 
the following equations because of Theorem |4l 



H{G[v{t'^)]\G,t'; 
2P0-C 



N 



,N 



,N 



d.T 



>ro' 



In 2 

where c = N{Ra - 1) - 1 - s 
Since the probability that 

2-(s/2-l) Jjj^yg. 



(62) 
(63) 



■ dMT l holds is at least 1 — 



H(G[v{t^)) |G,if ©if ,d,T 
XI- 2-(^/2-i, I I 



,N 

2fo-c 



(64) 
(65) 



Choose s ~ sN, where < £ < i?o 
that for S > 0: 



In 2 

— 1. Choose fo such 



It can be verified for this ro we have 

< ro < ^[^0 - 1 - e']+ (67) 

for a constant e' > 0. For this fp and s, from ( l65T l, we observe 
that there exists /? > 0, such that 



l{G{i>itf)) ;if ©if ,d,r|G) <e- 



(68) 



We next use the fact that for sufficiently large N, hence N, 
most G has full row rank as shown in Lemma |4] Therefore, 
there must exists a G — g, such that 

1) g has full rank. 

2) / (g (w(if )) ; if © if, T\G = ,9) < 2e-^^ 

Note that this g is chosen for a uniform distribution for 
if, I = 1,2, if and if being independent and is not 
necessarily a good choice for other channel input distribution. 

This result can then be used to an encoder with rate 
arbitrarily close to [A/(i?o ~ 1)]^' shown below: 

' .9 
9 

invertible. Define S such that S' such that 



Let g' be (A^'o — ro) x Nq matrix such that 



IS 



9foxNa 



.(if) 



S' - 

(iVo-ro)xl 

SfQ X 1 



Then 5" = g(w(if )). Define A as the inverse of 
the encoder is given by: 



S' - 

(A'o-fo)xl 

SfQ X 1 



(69) 



then 



(70) 



where S £ GF(2''") be the input to the encoder. We assume 
5 is uniformly distributed over GF(2*^")- ^f ^ A^^ n 
V(Ac)^^ be its output. S' represents the randomness in the 
encoding scheme. We observe that, if {^^^^ -^-i^j^, S'foxi} 
is uniformly distributed over GF(2)^° and ( iTOb is used as 
the encoder, if is also uniformly distributed over the set K. 
Since G = g is chosen when if has a uniform distribution 
over K, this means when ( iTOl i is used as an encoder, ( |68] ) 
still holds. 

With this encoder as dTOl i. and S be the confidential 
message W, G = g, (|68] | can be re-written as 



{W;tf 



t^,d,T] <2e 



-/3MN 



From Theorem [U it can re-written as 



+ X-,df,df)<2e 



N ,N ,N\ 



(71) 



(72) 



Since = Xf 
inequality, ( |72] | implies 



Z2 , from the data processing 



/(M/;y/,df,df) <2e-^^'^ 



(73) 



Again the proof so far does not depend on the nature 
of = 1,2. As shown in [9], dj^ only affects the 

probability of decoding errors at the intended receiver and the 
average power of the transmitters, and we can choose dj' as 
deterministic vectors. In this case, ( f73] l is simply I{W; K 



fo<N{Ro-l)-s~N6<No-N-s~NS/2 (66) jjence we have proved the theorem. 



VII. Proof of Theorem[3] 

We first introduce some useful results on extractor func- 
tions. 

The definition of an extractor function can be found in [17, 
Definition 6]. For a random variable whose min-entropy can 
be lower bounded, [17] has the following lemma: 

Lemma 6: [17, Lemma 9] Let (5',Ai,A2 > be con- 
stants. Then there exists, for all sufficiently large N, an 
extractor function E: {0, 1}^ x {0, l}'^ {0, 1}'', where 
d < AiN and r > (S' - A2)N, such that for all random 
variables A whose alphabet is defined over {0, 1}^ and 
HooiA) > S'N, we have 

H{E{A,V)\V)>r-2-^'^''°''^^ (74) 

The lemma says introducing a small amount of pure ran- 
domness, V, one can extract almost all min-entropy from a 
weakly random source. Its proof can be found in [17], which 
is based on an efficiently constructible extractor design from 
[21]. 

We use the same lattice codebook from [9] and follow the 
same notation in Section [Vl] 
We begin with: 



Ho. («(if ) |tf ® 4' ^t'\d^d)^H^ {v{t'^ ) j (75) 

According to Corollary [T] we have, for a given integer a, 1 < 
a < 2^ and taken from A^^ n V(Ac)^^, with probability 

1 - 2-": 



N ri^.N _ _,_N 
to 



(76) 



,2 -t" ,d^ d,T = a] 

>-ffoo [v{t^)\t^ ®t§ ^t^,d = - log2 |r| - s (77) 

^Na -N^s (78) 

>N{Ro - 1) - s - 1 (79) 



where (|79] | follows from 

We then choose r and 6' as in Lemma |6] This means for a 
A2 > 0, we choose r > N{Rq — 1 — A2). Applying Lemma 
|6]we have the following bounds when (l76]l-(|79]l holds: 



HiEivlt'^ ],V\ \V,t'^ ®t'^ =t'\d^d,T = a 



> r-2 



-N'^'^-o{1) 



(80) 
(81) 



Since the probabihty that (l76]l-(|79]l holds is at least 1-2 ^ 
we have: 

H(E(v(tf),v)\V,t^ ®t^,d,T) (82) 

>(l-2-^) (r-2-^'''-°(i)) (83) 

Choose s = eN, where < e < i?o — 1- Then from 
we observe that there exists /? > 0, such that 



IE 



(84) 



The secret key is then generated from the following 
procedure: First node 5*1 transmit the pure random sequence 



V to Di. According to Lemma |6] since the length of binary 
representation of V is smaller than AiA^, where Ai can be 
arbitrarily small, the rate penalty of sending V is negligible. 
Then node 5*1 transmits the over N channel uses, while 
52 transmits t^^, using the nested lattice coding scheme 
described in Section IvTl tj^,j = 1,2 is chosen such that 
they are uniformly distributed over A^-'^ n V{Ac)^^ and 
and t2 being independent. Finally node Di decode t'^ using 
the algorithm given in [9]. The secret key is computed from 
E(v(t^),V). 



In this protocol, it is clear that the eavesdropper's knowl- 



edge is a degraded version of V, if 0^2 1 ^- From 
observe that K is secure. Hence we have proved the theorem. 

Remark 4: It is not clear how to invert the extractor 
function in [21] efficiently, which requires us to obtain A 
from E{A, V) and V. Because of this reason, the method 
is only used for secret key generation, but not for secret 
message transmission in this work. 

VIII. Conclusion 

In this work, we developed coding schemes which provides 
strong secrecy by combining nested lattice codes with either 
universal hash function or the extractor function. In our 
previous work [8], the representation theorem for nested 
lattice codes is used to bound the Shannon entropy and prove 
weak secrecy rates. Here we showed the same theorem is also 
useful in bounding other information theoretic measure, i.e., 
the Renyi entropy and the min entropy, which in turn leads 
to strong secrecy results. With these coding schemes, we 
showed that for an interference channel with a confidential 
message, the same secrecy rate, and hence the same secure 
degree of freedom derived for weak secrecy is achievable for 
the strong secrecy notion as well. The rate region where both 
users have confidential messages to transmit can be obtained 
by time-sharing between the individual rates. Compared to 
previous strong secrecy scheme with nested lattice code, our 
scheme achieves faster decrease for the mutual information 
between the message and the eavesdropper's observation with 
respect to the number of channel uses. 

Appendix A 
Proof of Lemma[3] 

Consider the set: 

, max^Pi (X = x\T = t) „ „„„ , 
A=it: L — ^ — ^>2''||rllS> (85) 



maxa; Pr {X = x) 

Equation (fT2] i is equivalent to Pr [t E A] < 2"''. Suppose it 
is otherwise: 

Pr [t'EA]> 2-" (86) 

Then we have 

Et [maxPr {X = x\T = t)] (87) 

= ^Pr(r = t)maxPr(A: = xir = (88) 
t ^ 

> ^ Pr(T = t)maxPr(X = a;|T = (89) 



=2" ||ri|maxPr(X = x) V Pr (T = t) (90) 

>||T||maxPr(X = a;) (91) 
On the other hand, define as: 

x*t = argmaxPr {X = x\T = t) (92) 
Then we have: 



Therefore 



maxPr {X = x) 

X 

>Vr ( Y — T*\ 
^rr ^ Xf j 

= 2^ Pr (X = |r = t) Pr (T = 

t 




(93) 
(95) 


> Pr {X = x;\T = t) Pr {T = t) 
= maxPr {X = x|T = t) Pr (T = 


t) 


(96) 
(97) 


[maxPr(X = xjT = 

L X 




(98) 


y Pr (T = t) maxPr {X = a;|T 




(99) 


> maxPr {X ~ x) 

^ — ^ X 

t 




(100) 


\\T\\ maxPr {X = x) 




(101) 



To obtain (fTOOl i, we apply (|93ll-(|97li. (l98l)-(fToT]) contradicts 
(l87]i-(|9TTi. Hence we have proved the lemma. 



[12] X. He and A. Yener. Secure Degrees of Freedom for Gaussian 
Channels with Interference: Structured Codes Outperform Gaussian 
Signalling. In IEEE Global Telecommunication Conference, November 
2009. 

[13] R. W. Yeung. A first course in information theory. Kluwer Aca- 
demic/Plenum Publishers New York, 2002. 

[14] 1. Csiszar. Almost independence and secrecy capacity. Problems of 
Information Transmission, 32(l):48-57, 1996. 

[15] X. He and A. Yener. Secure Communication with a Byzantine Relay. 
In IEEE International Symposium on Information Theory, June 2009. 

[16] X. He and A. Yener. Secure Communication in the Presence of a 
Byzantine Relay. Submitted to IEEE Transactions on Information 
Theory, 2009. 

[17] U. Maurer and S. Wolf. Information-theoretic key agreement: From 
weak to strong secrecy for free. Lecture Notes in Computer Science, 
pages 351-368, 2000. 

[18] C. H. Bennett, G. Brassard, C. Crepeau, and U. M. Maurer. Generalized 
privacy amplification. IEEE Transactions on Information Theory, 
41(6):1915-1923, November 1995. 

[19] S. A. Jafar. Capacity with Causal and Non-Causal Side Informa- 
tion - A Unified View. IEEE Transactions on Information Theory, 
52(12):5468-5475, December 2006. 

[20] C. Cachin. Entropy Measures and unconditional security in cryptog- 
raphy. PhD Thesis, 1997. 

[21] S. P. Vadhan. Extracting all the randomness from a weakly random 
source. Electronic Colloquium on Computational Complexity, Techni- 
cal Report TR98-047, December 1998. 

[22] U. Erez and R. Zamir. Achieving 1/2 log (1+ SNR) on the AWGN 
Channel with Lattice Encoding and Decoding. IEEE Transactions on 
Information Theory, 50(10):2293-2314, October 2004. 

[23] X. Tang, R. Liu, P. Spasojevic, and H. V. Poor The Gaussian Wiretap 
Channel With a Helping Interferer. In IEEE International Symposium 
on Information Theory, July 2008. 

[24] M. Costa. Writing on dirty paper. IEEE Transactions on Information 
Theory, 29(3):439^41, May 1983. 



References 

[1] C. E. Shannon. Communication Theory of Secrecy Systems. Bell 

System Technical Journal, 28(4):656-715, September 1949. 
[2] A. D. Wyner The Wire-tap Channel. Bell System Technical Journal, 

54(8):1355-1387, 1975. 
[3] 1. Csiszar and J. Korner. Broadcast Channels with Confidential 

Messages. IEEE Transactions on Information Theory, 24(3):339-348, 

May 1978. 

[4] S. Leung- Yan-Cheong and M. Hellman. The Gaussian Wire-tap 
Channel. IEEE Transactions on Information Theory, 24(4):451^56, 
July 1978. 

[5] E. Tekin and A. Yener. The General Gaussian Multiple Access 
and Two-Way Wire-Tap Channels: Achievable Rates and Cooperative 
Jamming. IEEE Transactions on Information Theory, 54(6):2735- 
2751, June 2008. 

[6] R. Liu and H. V. Poor Multi-Antenna Gaussian Broadcast Channels 
with Confidential Messages. In International Symposium on Informa- 
tion Theory, July 2008. 

[7] R. Liu, 1. Marie, P. Spasojevic, and R. D. Yates. Discrete Memoryless 
Interference and Broadcast Channels with Confidential Messages: 
Secrecy Rate Regions. IEEE Transactions on Information Theory, 
54(6):2493-2507, June 2008. 

[8] X. He and A. Yener Providing Secrecy with Lattice Codes. In 
46th Allerton Conference on Communication, Control, and Computing, 
September 2008. 

[9] X. He and A. Yener. Providing Secrecy With Structured Codes: Tools 
and Applications to Gaussian Two-user Channels. Submitted to IEEE 
Transactions on Information Theory, July, 2009, Available onHne at 
|http://arxiv!or g/abs/0907.5388 

[10] X. He and A. Yener. The Gaussian Many-to-One Interference 
Channel with Confidential Messages. In IEEE International Sym- 
posium on Information Theory, June 2009. Available online at 
|http://arxiv.org/abs/0905 .2640 1 

[11] X. He and A. Yener i^-user Interference Channels: Achievable 
Secrecy Rate and Degrees of Freedom. In IEEE Information Theory 
Workshop, June 2009. 



